GraphQL introspection → BOLA → mass enum

§ Context

Assumed environment: GraphQL is in production with introspection enabled (or disabled but recoverable from JS bundles). Authorization is enforced on top-level resolvers only.

§ Steps

1. 01
   Exfil PII / credentialsExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Locate /graphql endpointReconnaissance

   W-RECON-API-DISCO— API Endpoint Discovery
3. 03
   Map types, fields, mutationsDiscovery

   W-GRAPHQL-INTRO— GraphQL Introspection
4. 04
   Run __schema introspectionDiscovery

   W-GRAPHQL-INTRO— GraphQL Introspection
5. 05
   Find unguarded nested fieldDiscovery

   W-GRAPHQL-AUTHZ— GraphQL Field-Level AuthZ Gaps
6. 06
   Enumerate every user via BOLAPrivilege Escalation

   W-BOLA— Broken Object Level Authorization (API BOLA)

§ References

• T1041Exfiltration Over C2 Channel

§ Frequently asked

What is the "GraphQL introspection → BOLA → mass enum" attack path?

GraphQL endpoint exposes its full schema. Discover an unauth'd or under-authorized resolver, enumerate every user's data by iterating IDs. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil PII / credentials (T1041) — a exfiltration primitive. Assumed environment: GraphQL is in production with introspection enabled (or disabled but recoverable from JS bundles).

What is the final impact of this kill-chain?

The final step lands on Enumerate every user via BOLA (W-BOLA), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Open MongoDB → dump every collection

  Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.

• Shared techniques2

  Signature replay across chains → token drain

  EIP-2612 permit() signed without chainId / domain separator binding. Capture the off-chain signature on one chain and replay it on another to drain ERC-20 approvals.

• Shared techniques2

  Root detection + SSL pinning bypass → MITM the API

  Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.

• Shared techniques2

  JWT RS256 → HS256 algorithm confusion → admin

  Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.

• Shared techniques2

  Single-packet race → coupon stacking

  Coupon redemption check happens before the apply step. Send 20 redemptions in a single TCP packet — the app validates each in parallel and applies all of them.

• Shared techniques2

  NoSQL injection → auth bypass → admin

  Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check.